Azure Suspicious VM Run Command Execution

Azure Suspicious VM Run Command Execution

Detection overview

Triggers

  • The Microsoft Entra Identity executing the command does not typically perform Run Commands on Azure VMs.
  • The execution of the Run Command is occurring outside of regular business hours.
  • Multiple instances of suspicious Run Command executions are detected within a short timeframe.
  • Run Commands are being executed anomalously across multiple VMs.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on VMs without permission.
  • Misconfigured Permissions: A Microsoft Entra Identity has excessive privileges, allowing them to execute Run Commands on VMs they should not have access to.
  • Malware or Exploitation Tool: An attacker is using malware or tools to abuse the VM�s operating system, escalate privileges, and execute Run Commands.
  • Legitimate Administrative Action: A valid Microsoft Entra Identity is running a script to configure a new VM for production use, requiring Run Commands with elevated privileges.
  • Automated Deployment: A legitimate application is utilizing Azure�s Run Command feature to automate updates and patches for a VM or fleet of VMs.

Business Impact

  • Data loss or corruption due to unauthorized deletions.
  • Security breaches resulting from the exploitation of vulnerabilities or abuse of privileges.
  • Compliance issues due to non-adherence to security policies.
  • Downtime and revenue loss caused by malicious activity.

Steps to Verify

  • Review the actions taken by the Microsoft Entra Identity after the identified activity to assess potential risks.
  • Investigate the Microsoft Entra Identity executing the Run Command for any signs of unauthorized access or excessive privileges.
  • Analyze the parameters used in the Run Command to identify potential security risks, such as the deletion of sensitive data.
  • Verify if the suspicious Run Commands are occurring within regular business hours or if there are multiple instances within a short timeframe.
  • Ensure that the VM�s configuration and permissions align with organizational security policies.
Azure Suspicious VM Run Command Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Run Command Execution

Example scenarios

Azure Suspicious VM Run Command Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Run Command Execution

Steps to investigate

Azure Suspicious VM Run Command Execution

MITRE ATT&CK techniques covered

Azure Suspicious VM Run Command Execution

Related detections

No items found.

FAQs